We are currently experiencing an issue where a powershell script is running on a couple of our VM's. This script is causing havoc on our VM servers as it is using 100% of the CPU on each of the affected VM's rendering it slow and non responsive.

We have softened the impact of this script by setting the priority to low and changed the affinity to 1 core via Task Manager however this script continues to run, we also checked the account that it is running on and we can see that it is running on the local system account.

I fear that it is malicious and would really like to get rid of it.

I am still a Junior Tech so my I.T. knowledge is lacking (currently studying at the moment) therefore I am unsure how to proceed with the aforementioned. I thought this would be a great learning opportunity to bring this up on SpiceWorks to see what the community says.

I return with good news! ESET was able to assist me with squashing this malware.

It appears that many of our machines still had not been patched for the EternalBlue exploit, according to what I understand this is why the malware spread so rapidly. After I provided the information to ESET they were able to provide me with a fix. After the fix was applied to the affected VM's they immediately became stable once again.

I have been monitoring our environment since Friday evening and nothing has returned so far.

Please see below for detailed steps to remove this sort of malware:

Step 1: Run WMILister_20.vbs

Save the attached WMLister file on the affected machine and rename it to have an extension of .vbs (This VBS will log any non-expected scripting in the WMI database and it will determine if the machine is indeed infected)

From an administrative command prompt, change directories to where you saved the .vbs file and run the command:cscript //nologo WMILister_20.vbs > DumpedScrpts.txt

ESET also provided this last command however it was not our environment. But was asked to run it just in case the logging didn't find any ActiveScriptEventConsumer items. Therefore run it just to be sure.

Close port 3389 on your router (this is likely open and needs to be closed while you reset all passwords for all users) To prevent an RDP brute force, you can enforce password policies to log out after a handful of attempts. Also implementing 2FA will prevent a password from being used, if it is compromised.

Hopefully this fix will work for you as much as well as it worked for me.

Thanks to all who assisted on this issue and ESET for providing a fix!

I will continue to monitor the situation however things are looking optomistic.

Generally, to call a powershell script from outside powershell you need to call the PS executable and provide the script as an argument. An example that I have used from the CMD environment is as follows:

The -noexit flag keeps the powershell window open after the command completes. One possible gotcha is that if you have a space in the path to your script file contains a space, you should enter an (&) before the script, as in:

There are other, slightly more exotic ways to do the same, but that should at least get you going.

Also, have you made sure that you have the proper script execution policy set? By default, powershell does not allow you run scripts, you need to set-executionpolicy to something appropriate, I usually use set-executionpolicy remotesigned, but I recommend reading get-help set-executionpolicy -full for more information.

Regarding task scheduling, you could instead use the RunOnce entry in HKLM>Software>Microsoft>windows instead. You could also set the registry entry for powershell execution policy in the same reg file:

This person is a verified professional.

That looks a lot like it could be using your computer for some type of botnet activity - be it sending mass spam or mining bitcoins. Since your AV isn't picking it up, you might just be able to delete the script and the task, but nuke and pave would be the only way to be sure. What AV are you using?

That looks a lot like it could be using your computer for some type of botnet activity - be it sending mass spam or mining bitcoins. Since your AV isn't picking it up, you might just be able to delete the script and the task, but nuke and pave would be the only way to be sure. What AV are you using?

We are assuming it has something to do with mining.

Yes, our AV is not picking anything up. We have tried to locate the script however we are unable to find it, how would one even find the script and delete it? We have checked scheduled tasks and there is nothing suspicious or related to the powershell script. I would like to nuke it however I cannot find the source only thing I can determine it is using the system account to run the script.

This person is a verified professional.

That looks a lot like it could be using your computer for some type of botnet activity - be it sending mass spam or mining bitcoins. Since your AV isn't picking it up, you might just be able to delete the script and the task, but nuke and pave would be the only way to be sure. What AV are you using?

We are assuming it has something to do with mining.

Yes, our AV is not picking anything up. We have tried to locate the script however we are unable to find it, how would one even find the script and delete it? We have checked scheduled tasks and there is nothing suspicious or related to the powershell script. I would like to nuke it however I cannot find the source only thing I can determine it is using the system account to run the script.

This person is a verified professional.

That looks a lot like it could be using your computer for some type of botnet activity - be it sending mass spam or mining bitcoins. Since your AV isn't picking it up, you might just be able to delete the script and the task, but nuke and pave would be the only way to be sure. What AV are you using?

We are assuming it has something to do with mining.

Yes, our AV is not picking anything up. We have tried to locate the script however we are unable to find it, how would one even find the script and delete it? We have checked scheduled tasks and there is nothing suspicious or related to the powershell script. I would like to nuke it however I cannot find the source only thing I can determine it is using the system account to run the script.

We are currently using ESET.

You could also look at the run/runonce keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Also try running Process Explorer to get more info about the process. Right-clicking the process and choosing 'Properties' will give you loads of info:

That looks a lot like it could be using your computer for some type of botnet activity - be it sending mass spam or mining bitcoins. Since your AV isn't picking it up, you might just be able to delete the script and the task, but nuke and pave would be the only way to be sure. What AV are you using?

We are assuming it has something to do with mining.

Yes, our AV is not picking anything up. We have tried to locate the script however we are unable to find it, how would one even find the script and delete it? We have checked scheduled tasks and there is nothing suspicious or related to the powershell script. I would like to nuke it however I cannot find the source only thing I can determine it is using the system account to run the script.

We are currently using ESET.

You could also look at the run/runonce keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Hi Big Green Man

I have checked the registry keys as per your post and I find nothing suspicious. All I find under these paths is the Default REG_SZ.

One of our technicians restarted the server where the script was running, it usually takes around 60 - 90 min for the script to start up. Currently waiting for the script to start again so I may investigate it using Process Explorer.

I've no idea what that code is doing and some of it is missing but I can be pretty confident that it's malicious considering how much obfuscation there is.

I wrote the Powershell script again and it seems to be pulling though better, perhaps the decoder I used removed some of the script as this one is quite different. I used a different decoder this time.

I have attached the results, already decoded from Base64, perhaps the new results will make sense... I hope.

Just to keep you guys up to date on the matter ESET stated we have malware using WMI for persistence. It’s likely the
malware is using our servers for bitcoin mining and might be trying to spread
using the EternalBlue exploit. This type of infection is typically in the
result of a Brute Force RDP attack that succeeded in guessing administrative
credentials.

ESET provided me a script and asked me to send the results. I have done so, they confirmed that once the results are reviewed they will advise on steps to remediate the issue.

If a fix is found I will report back with detailed steps on how to do so in case someone lands up on this thread with the a similar issue.